« Log File and Event Management | Main | Credit Data 'Hijacked' »

March 20, 2008

Information Centric Security Example

Sure enough, we are starting to see some more posts on the subject. Rich Mogull took up the charge and put the stake in the ground with some guidelines for defining what constitutes an information centric security model.  I am glad he did this, both from the sense that I think he did a great job, but also from the realization I cannot. While I am a big proponent, I have far too many pre-conceived notions about this type of security to provide a neutral definition that does not pre-suppose some deployment strategies. I am thankful he took the first step, and some of the heat for, proposing this model.

What I want to do to take this one step further is provide a tangible example of this model.  I want to provide the simplest example of what I consider to be an information centric security. I have never spoken with Rich directly on this subject and he may completely disagree, but this is one of the simplest examples I can come up with. It embodies the basic tenants, but it also exemplifies the model’s singular greatest challenge. Of course there is a lot more possible than what I am going to propose here, but this is a starting point.

Consider a digitally signed email encrypted with PGP as a tangible example. 

Following Rich Mogull’s defining tenets/principles post:

  • The data is self      describing as it carries MIME type and attachment or you can encrypt the payload and leave      business context (SMTP email header) exposed.
  • The data is self defending in both confidentiality (encrypted with the recipient public key) and integrity (digitally signed by the sender). 
  • While the business context in this example is somewhat vague, it can be supplied in the email message itself, or added as a separate packet and interpreted by the application(s) that decrypt, verify hash or read the contents. Basically, it’s variable.
  • The data is protected in motion, does not need network support for security, and really does not care about the underlying medium of conveyance for security, privacy or integrity. The verification can be      performed independently once it reaches its destination. And the payload, the message itself,      could be wrapped up and conveyed into different applications as well. A trouble ticket application or customer relationship management application are but two examples of changing business contexts.
  • The policies can work consistently      provided there is an agreed upon application processing. I think Rich’s intention was business      processing, but it holds for security policies as well. Encryption provides a nice black & white example as anyone without the appropriate private key is not going to gain access to the email message. Business rules and processes embedded should have some verification that they have not been altered or tampered with, but cryptographic hashes can provide that. We can even add a      signed audit trail, verifiable to receiving parties, within the      payload. 

I might add that there should be independent ‘Brokerage’ facilities for dispute resolution or verification of some types of rules, process or object state in workflow systems. If recipients can add or even alter some subset of the information, who’s copy is the latest and greatest? But anyway, that is too much detail for this example.

The fundamental problem with this model? People. If you do not trust the recipient or user of the data to whom you have provided credentials, the model does not provide privacy. Un-trustworthy recipients can leak sensitive information. In our example, hopefully we did not send the email message to them, but obviously we do not always know who we can trust, or under what certain circumstances we trust a person. This is serious, but no less of a problem than in just about every other information usage and sharing system ever created. 

A note on DLP and Information Centric Security: Security that acts directly upon information, and information that embeds it’s security are different concepts. IMO. Under a loose definition, I understand how one could view Data Loss Prevention, in context Monitoring/IDS and even Assessment as a data centric examination of security. But this is really not what I am attempting to describe. Maybe we change the name to Embedded Information Security, but that is semantics we can work out later.

One of the commenter’s on Mogull’s web site references both the Bell-LaPadula and Clark-Wilson. These papers are relevant and I will discuss in a future post, as well as the topic of evolutionary change and novelty.  For now, I just want to propose a tangible example.

### Update ###

Hoff was kind enough picked up this post on his blog. Chris is right that the first bullet is very confusing.  What I meant to say is that the business application, email, is self evident.  The email header remains as it would normally be.  The information is self describing as it is tagged as encrypted content in the message body, or could be an attachment to the email.  I mentioned MIME purely for non-text based attachments.  Sorry about the word jumble.

Posted at 02:52 PM in Information Centric |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e551956115883400e551a34e438834

Listed below are links to weblogs that reference Information Centric Security Example:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment